ASK THE EXPERTS - CCIE SECURITY

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on CCIE Security with Yusuf Bahiji. Yusuf Bhaiji is the product manager for the Cisco CCIE Security certification and is the CCIE Proctor in the Cisco Dubai Lab. Bhaiji has been with Cisco for 10 years and has 20 years of industry experience in security technologies and solutions. He also chairs the Networkers Society of Pakistan and the Pakistan chapter of the IPv6 Forum. Bhaiji has authored four books for Cisco Press: "Network Security Technologies and Solutions," "CCIE Security Practice Labs 1st Edition," "CCIE Security v3.0 Configuration Practice Labs 2nd Edition," and "CCIE Security Flash Cards." He has also been a technical reviewer for Cisco Press, a writer and presenter on various security technologies, and a frequent lecturer and speaker at conferences and seminars. Bhaiji holds a master's degree in computer science as well as CCIE certification #9305 (R&S and Security).

Remember to use the rating system to let Yusuf know if you have received an adequate response.

Yusuf might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 13, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.

1 vote

1

2

3

4

5

Average Rating: 4.3 (4 ratings)

Share:

Replies

I am a Computer Network student and have successfully completed my CNAP(Cisco Network Academy Program). I am going to take the exam of CCNA soon and after that I'll go for CCNP. Sir, I am being confused about Cisco certification, I am interested in both Cisco Security and Voice,but

I donot understand which path should I take after CCNP.

Please correct me if I am wrong,is CCNA Security the basic or prerequisite for CCSP(Cisco Certified Security Pro) and CCNA Voice is the prerequisite for CCVP(Cisco Certified Voice Pro)?

My other question is that which path should I take,Cisco Security or Cisco Voice? I am actually being confused between both of them and sometimes donot understand which path should I take after CCNP. Do you really think that security is also important in Cisco Voice?

To answer your other query regarding technology choice of Security vs Voice, it very much depends on your future plans and career aspirations. For example, if you wish to be an expert in Security and work as a security consultant/engineer, then you should pursue CCSP and CCIE Security. Whereas, if you like working with IP telephony solutions and deploy Voice solutions, then you should pursue CCVP and CCIE Voice. … it all comes down to what you want to do in your career in the next 2-3 years. Both have their own importance and need in the industry, neither is more important over the other, both technologies are good, it depends which technology is more INTERESTING for you.

If you do CCNA Security and CCSP, you will cover most of the security technologies and solutions that Cisco has to offer.

However, VoIP security is a different subject and is not covered in these courses. Having said that, you can always work in VoIP environment with your Security background as it will give you better understanding of the network.

We have a star topology using eigrp and vrf's. We recently added a new site to our network. However what makes this site different from the rest of our sites is that its making use of another companies facilities and comcast connection The spare comcast connection terminate at all their buildings as well as our building. Its only a handful of users. The few users will use this comcast connection to access resources on our network off the 6509. please see diagram. They have connectivity but as of now no security on this connection. If someone from that company would plug computers in on that connection at any building where it terminates and use the same line those users are using they would gain access to our resources and network. What would you recommend for us to do to secure the connection and users. any suggestions would be great.

I think your post is in the wrong session forum. This session is specifically focusing on CCIE Security certification in order to help candidates pursuing CCIE cert, and provide them guidelines and prep resources.

For all your technical support and design queries, kindly post your question on the NetPro forum under the Security section below, and a SME will be able to help you with your queries;

I have just started preparing for the CCIE Security lab, having passed the written in July. The hardware/software blueprint is about 18 months old right now, will there be updates to this shortly? Specifically do you foresee moving to ACS 5.x? Other pieces aren't as big of a change as the hardware wouldn't change, ASA/IPS/ISR. Do you also envision including other technologies in the future, like NAC maybe.

Due to confidentiality I cannot share much; however, there is no major changes coming across..only minor stuff... ACS 5.x is not coming for sure, so you can strike that out.

If we make any changes to the blueprint (add/remove technologies and products), we will announce it on website and give sufficient time to the candidates to ensure they can prepare ahead of time. Stay tuned.

I am ayman i am preparing to my CCIE SEC Lab in October and i really need your help to know if there any change coming during this period to my exam date !! , And due to my work if i could not take it in october and take it in the 2011 is there any possibility that it can be changed at the begining of the new year ? sorry for this long one but it is my first trail and i am really confused about it

Due to confidentiality I cannot tell you what/when changes are going to occur before we make a public announcement; however, there is no major changes coming across..only minor stuff.

If we make any changes to the blueprint (add/remove technologies and products), we will announce it on website and give sufficient time to the candidates to ensure they can prepare ahead of time. Stay tuned and keep checking the CLN website regularly.

It is well-know that the core knowledge questions have been introduced in the CCIE lab exam to overcome the problem cheating. During the Cisco Live! presentation this year, you mentioned that there is about 3% of people who pass the configuration section and fail the core knowledge questions. Theoretically, these are the *potential* "braindumpers" who have been filtered by the open ended questions. Among these people, of course, there are "honest" candidates as well. Therefore, the amount of "cheaters" filtered by the core knowledge section should be expected to be around 1%. This is the estimated empirical filter "efficiency".

Based on that simple observation, it is apparent that using core knowledge section does not really improve the exam integrity. Simply put, most of the "cheating" candidates fail the configuration section even without the core knowledge questions. It makes sense to simply go ahead and replace the open ended questions with additional configuration tasks that, for example, may change in different exam variations. Out of these conclusions, should we expect the core knowledge section to be eliminated any time soon, noticing all controversy it creates among the "honest" exam candidates?

I understand from where you are coming from, but we have other reasons to include CK including cheating countermeasures when enforcing CK. However, as stated earlier during my other posts/presentations, CK may eventually be removed in the future once we can establish that the CK items are no longer required to produce secure and valid test results.

Thanks for the prompt reply! My other question is how "unbiased" the exam questions are going to be in the future. By "biased" I mean the questions that use vague, or tricky wording, that is subject to the candidate's interpretation. This interpretation may not be unique (e.g. "use a VPN technology that offers best scalability" could be say GET VPN or DMVPN - both are scalable in some sense). As a counterexample, an ideal lab exam question should clearly state the "verification" procedure, e.g specify that the candidate should be able to ping from point A to point B and obtain the specific "show" command's output (e.g. provide explicit "show crypto ipsec sa" or "debug crypto isakmp" output as part of the scenario). This would allow a candidate to be 100% sure whether his/her solution was wrong or right, without guessing.

My hope is seeing the exam getting more "objective" and less "vague". An ideal test is where candidate cannot be failed simply because he/she misinterpret question based on language vagueness. Making the exam scenarios unique interpretable and clearly *verifiable* will greatly increate the value of CCIE certification.

Yes, we make announcement on the website whenever a change is made, the headsup time depends on the level of change (minor/major) and it can vary from 1 month advance notice up to 3 months. In some cases, when the blueprint is refreshed overall, we can give up to 6 months advance notice. So it entirely depends on the level of change in question.

I have just aquired two cisco 2516 routers. I am trying to perform a password recovery/reset. I am trying to follow the procedures in document ID 12722, however I notice that there are several aspects of the router that are disabled in the configuration, such as BREAK, diagnostic mode, etc. What is the best way to perform a password recovery when the standard methods will not work.

Hai yusuf , i have given my exam on 6th september at bangalore center there was some link problem between 12 am to 1pm ,i am pretty much sure that i have done all the required configuration correctly , but still i got 0% in vpn and in ips , and in copp i got 58 % , so i want to reevaluate is there any minimum criteria below which one cannot apply for reevaluation .Please reply .

Yes, there is minimum criteria/score required in order to be eligible for a reread request, if your Total score is below the required threshold, you cannot request for reevaluation. For more information, please open a customer support case.

My name is Aritra Ghosh , I have given ccie security lab on 6th september from Bangalore . In the lab the link was flapping from 12 am to 1 pm , I diid the

vpn configurations correctly and the data was properly getting encrypted and decrypted , i am pretty much sure that i did the vpn configuration correctly , still i got zero percent in vpn , also in the ips there were three sections i did the all the configuration correctly but still i got zero percent in ips .

if my ips was not configured correctly how was i able to get 100 % in identity management because the traffic for the identity management was flowing through the ips , I am totally confused now do you think that the checking done by cisco can be wrong , i want to reevaluate my results but my overall percentage is coming to fifty ,am i eligible for reevaluation if not how can i raise a case so that checking for my exam is done again .Please give me some suggestion as soon as possible because i want to take some steps .

Firstly I wish to thank you for your efforts in creating the CiscoPress material for the CCIE Security, I’ve learnt so much for my studies, which have enabled me to excel in my current position. I put this down to my hard work and your mentoring.

After taking the CCIE a number of times, I’ve seen various Qs from the lab posted on forums, these included not only lab Qs, but I also saw 3 of the 4 OEQs I had from my last attempted posted online! (I did report this to NDA @ Cisco). I’ve also seen pass4sure documents that are pretty much word for word as the lab I have had.

After spending so much time and effort to gain the CCIE, I’m feeling that it’s being de-valued. Of the people that I know who have recently passed I would say 75% have no experience with Cisco equipment. I was also asked by a recently certified candidate what a FWSM is!?!?

My Q to yourself is, what re-assurances can you give that Cisco are protection the value of the certification and is anyone being punished for breaking the NDA?

First, I appreciate you bringing on this discussion and your concerns about CCIE certification. I would like to assure you that we take these matters very seriously, we have a dedicated team of Enforcement experts who are well qualified to review and action accordingly... we get many many cases on a regular basis, and the Enforcement team works on EACH one individually and document and take necessary action. Actions include warnings, Ban from certification (1 year up to Lifetime ban depending on the severity). Be assured, we do take action upon conclusive breach.

I would like to check if for your CCIE Security Practice Book ""CCIE Security v3.0 Configuration Practice Labs 2nd Edition," is there any Remote Racks, which follows the same physical and Logical topology, available for online purchase to practice the labs or is each individual expected to build the lab physically by himself ??

I am on my way towards Security. I have read your books and they really helped me alot. Can you please refer me to some RFCs, IEEE documentation or some other standard documentations which can suplement the books that I read.

I understand the idea of using different security levels to permit traffic flow from higher to lower security levels. I'm not sure I understand a compelling reason to rely on security levels instead of inbound and outbound ACLs being applied to each interface and just setting all the interfaces to the same level. Am I missing some best practice or firewall fundamental? Since I use inbound and outbound ACLs I feel like I have complete granular control over the traffic so I'm not concerned about things that shouldn't be allowed getting through because of the same-security-permit inter-interface command being applied as well(for NAT exemption purposes usually). I have seen some difficulties getting one to one static NATs to play well when you're doing various types of NAT and NAT exemption between all of these interfaces which immediately work like you would expect when you do give in and use different security levels. Thoughts? Will the security level model eventually change and fade into the sunset? Being able to use inbound and outbound ACLs seemed like such a better way to control traffic than these security levels that I got used to using on the old PIX 6.3(5) code. Thanks.

Eli

--edit--

sorry please ignore I just noticed this Ask the Expert is only in regards to CCIE Security certification and not Security in general. I apologize for the mispost. I'd remove it, but I don't see a delete option available.

I am preparing to take the CCIE Security lab soon, and would like to ask you if you can share with us what version of the ASA software is used in the lab (8.3 brings some changes a lab candidate would have to look out for) ? It would help "fine tune" my preparation for the lab :-)

Also I would like to confirm that the features tested are only the ones introduced up to the version posted in the Lab Equipment Page (for the ASA this would be 8.0? since the page referes 8.x) ?

On a general note, if you see any device with software version higher than listed on our website, we are not going to test any new features, only features will be tested from the version listed on the website.